From 5bf8474f8fa3ae14dfb1d97c6e6987a2eb8182e6 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 26 Nov 2006 17:34:48 +0000 Subject: [PATCH] Fixes to 'rules' man page git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5008 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall-rules.xml | 94 ++++++++++++++++++++++-------------- 1 file changed, 59 insertions(+), 35 deletions(-) diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml index 3b4c13782..74d585da1 100644 --- a/manpages/shorewall-rules.xml +++ b/manpages/shorewall-rules.xml @@ -21,11 +21,12 @@ Description - Rules in this file govern connection establishment. Requests and - responses are automatically allowed using connection tracking. For any - particular (source,dest) pair of zones, the rules are evaluated in the - order in which they appear in this file and the first match is the one - that determines the disposition of the request. + Rules in this file govern connection establishment. Subsequent + requests and responses are automatically allowed using connection + tracking. For any particular (source,dest) pair of zones, the rules are + evaluated in the order in which they appear in this file and the first + terminating match is the one that determines the disposition of the + request. All rules are terminating except LOG and QUEUE rules. In most places where an IP address or subnet is allowed, you can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to indicate @@ -36,12 +37,13 @@ If you masquerade or use SNAT from a local system to the internet, you cannot use an ACCEPT rule to allow traffic from the internet to that - system. You *must* use a DNAT rule instead. + system. You must use a DNAT rule + instead. The rules file is divided into sections. Each section is introduced - by a "Section Header" which is a line beginning with SECTION followed by - the section name. + by a "Section Header" which is a line beginning with SECTION and followed + by the section name. Sections are as follows and must appear in the order listed: @@ -132,7 +134,8 @@ role="bold">:tag]] - Must be one of the following. + Specifies the action to be taken if the connection request + matches the rule. Must be one of the following. @@ -148,7 +151,8 @@ like ACCEPT but also excludes the connection from any - subsequent DNAT[DNAT[-] or REDIRECT[-] rules @@ -222,7 +226,7 @@ Advanced users only. - Like SAME but only generates the NAT iptables rule and + Like SAME but only generates the nat iptables rule and not the companion ACCEPT rule. @@ -232,7 +236,8 @@ REDIRECT - Redirect the request to a server on the firewall. + Redirect the request to a server running on the + firewall. @@ -258,8 +263,9 @@ Do not process any of the following rules for this (source zone,destination zone). If the source and/or destination IP address falls into a zone defined later in - shorewall-zones(5), this connection request will be passed to - the rules defined for that (those) zone(s). + shorewall-zones(5) or in a parent zone of the source or + destination zones, then this connection request will be passed + to the rules defined for that (those) zone(s). @@ -267,7 +273,8 @@ LOG - Simply log the packet and continue. + Simply log the packet and continue with the next + rule. @@ -276,7 +283,8 @@ Queue the packet to a user-space application such as - ftwall (http://p2pwall.sf.net). + ftwall (http://p2pwall.sf.net). The application may reinsert + the packet for further processing. @@ -307,9 +315,10 @@ macro - The name of a macro defined in a file named macro.If the - macro accepts an action parameter (Look at the macro source to - see if it has PARAM in the TARGET column) then the + The name of a macro defined in a file named + macro.macro. If the macro accepts an + action parameter (Look at the macro source to see if it has + PARAM in the TARGET column) then the macro name is followed by "/" and the target (ACCEPT, The ACTION may optionally be followed by ":" and a syslog log level (e.g, REJECT:info or DNAT:debug). This causes the packet to be logged at the specified - level. + level. Note that if the ACTION + involves destination network address translation (DNAT, REDIRECT, + SAME, etc.) then the packet is logged before the destination address is + rewritten. If the ACTION names an action defined in shorewall-actions(5) or in @@ -347,18 +360,19 @@ - The special log level 'none!' suppresses logging by the + The special log level none! suppresses logging by the action. - You may also specify ULOG (must be in upper case) as a log - level.This will log to the ULOG target for routing to a separate - log through use of ulogd + You may also specify ULOG + (must be in upper case) as a log level.This will log to the ULOG + target for routing to a separate log through use of ulogd (http://www.gnumonks.org/projects/ulogd). Actions specifying logging may be followed by a log tag (a - string of alphanumeric characters) are appended to the string + string of alphanumeric characters) which is appended to the string generated by the LOGPREFIX (in shorewall.conf(5)). Example: ACCEPT:info:ftp would include 'ftp ' at the end of @@ -374,8 +388,8 @@ role="bold">+][-]}[:interface][:{address-or-range[,address-or-range]...|+ipset}[exclusion] + role="bold">:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset} Source hosts to which the rule applies. May be a zone defined @@ -465,6 +479,15 @@ + + net:!192.0.2.11-192.0.2.17 + + + All hosts in the net zone except for + 192.0.2.11-192.0.2.17. + + + net:155.186.235.0/24!155.186.235.16/28 @@ -493,8 +516,8 @@ role="bold">+][-]}[:interface][:{address-or-range[,address-or-range]...|+ipset}}[exclusion] + role="bold">:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset} Location of Server. May be a zone defined in @@ -562,18 +585,19 @@ Example: - "loc:192.168.1.3:3128" specifies a local server at IP - address 192.168.1.3 and listening on port 3128. The port - number MUST be specified as an integer and not as a name from - services(5). + loc:192.168.1.3:3128 + specifies a local server at IP address 192.168.1.3 and + listening on port 3128. The port number MUST be specified as + an integer and not as a name from services(5).
if the ACTION is REDIRECT, this column needs only to contain - the port number on the firewall that the request should be + role="bold">REDIRECT or REDIRECT-, this column needs only to + contain the port number on the firewall that the request should be redirected to.